How can bad actors have hidden Administrative Access by use of Delegate Control?

Bad actors can hide their unauthorized access by exploiting or misusing delegate control permissions in Active Directory. If you add someone to a Privileged Access group like Domain Admins it is easily seen by a reviewer and by security monitoring solutions, if you have one. ?In fact, after a successful infiltration a bad actors first task is to hide their tracks and hide the fact that they have Privileged Access, same for insider threats. Bad actors and insider threats will try to take over an account that looks like a test account or a departed user and give that account Privileged Access through delegate control. There may also be accounts that have had their access customized at some point to grant additional admin access and then forgotten, people moved on to other jobs, permissions remained. Their actions may still be detected through careful monitoring and appropriate review. ?

What are Delegate Permissions?

Delegate permissions in Active Directory refer to the ability to assign specific administrative tasks or rights to users or groups within the directory service. These permissions are typically granted to individuals or groups who need to perform certain administrative or management functions without having full or unrestricted access to the entire Active Directory. Delegate permissions allow for a more fine-grained and controlled approach to managing Active Directory objects and services.

Delegate permissions can be assigned at various levels, including the domain, organizational unit (OU), or specific objects within Active Directory. The specific tasks or permissions that can be delegated depend on the administrative role and the needs of the organization. Some common examples of delegate permissions in Active Directory include:

1. Reset Password: Delegating the permission to reset user passwords. This is commonly assigned to help desk personnel or support staff.
2. Run Admin Tasks – Delegating permissions for Domain Administrative tasks
3. Replicate the Domain or modify Domain Trust – replicate all data to a new Domain Controller or crate / modify Domain Trust
4. Create/Delete User Accounts: Allowing the creation or deletion of user accounts, typically assigned to human resources or account provisioning teams.
5. Manage Group Membership: Permission to add or remove users from security groups or distribution groups.
6. Create/Delete Computer Objects: Granting the ability to join computers to the domain or remove them from the domain.
7. Create/Delete Organizational Units (OUs): Permission to create or delete OUs, which helps in organizing Active Directory objects.
8. Manage Group Policies: Configuring and managing Group Policy settings for specific OUs or groups.
9. Exchange Mailbox Permissions: Delegating rights to manage mailbox permissions in an Exchange environment integrated with Active Directory.
10. DNS Management: Allowing DNS record management for specific zones or records.
11. Schema Management: Rarely delegated, this permission allows for making changes to the Active Directory schema, which is a highly sensitive and advanced operation.

Ghost Domain Admins -granted "Domain Admin like" permissions without adding account to Domain Admins group

What permissions are not visible in plain sight?

?

1. Extended Permissions: Some permissions are considered "extended" or "advanced" and are not shown in the default permission interfaces, such as the Active Directory Users and Computers (ADUC) GUI. To view and set these extended permissions, you may need to use command-line tools, like dsacls or PowerShell scripts.
2. Attribute-Level Permissions: Active Directory allows for fine-grained control over individual attributes of objects. Some attribute-level permissions, such as controlling who can read or write specific attributes, might not be visible in the standard GUI, but they can be configured using tools like the Active Directory Administrative Center (ADAC) or PowerShell.
3. Delegate Control Wizard: In the Active Directory Users and Computers GUI, you can use the "Delegate Control" wizard to assign specific permissions to users or groups. While this is not hidden, the specific permissions you delegate may not be readily visible in the standard user interface, and you might need to inspect the underlying permissions to see the full details.
4. Forest-Level Permissions: Some permissions and settings are related to the entire Active Directory forest, and they can be managed using the Active Directory Sites and Services or other forest-level tools. These permissions can affect the overall structure and operation of the Active Directory forest.
5. Group Policy Permissions: Permissions related to Group Policy management, such as creating, editing, or linking Group Policy objects (GPOs), are not always directly visible in the standard GUIs, but they are managed through specific tools like the Group Policy Management Console (GPMC).

How to protect your Domain from hidden Delegate Control and Extended Permissions?

?

1. Establish a baseline configuration: Perform a review and establish a baseline configuration of your security setting and object permissions.
2. Monitoring: Active Directory should be regularly monitored for suspicious activities. Logging and auditing are crucial for identifying unauthorized or malicious actions. Events and logs can reveal changes made by users with delegate control permissions.
3. Regular Reviews: Periodically reviewing delegate control permissions and their assigned tasks can help ensure that they are used as intended. Any unauthorized or unusual assignments can be identified and rectified.
4. Threat Detection Solutions: Consider using threat detection and monitoring solutions that can identify and alert you to unusual or malicious activities in Active Directory. For example, SCOM (System Center Operations Manager,) Microsoft Sentinel and Advanced Threat Protection are products that can help you detect Active Directory permission changes, suspicious security events and changes in your configuration baseline.

We can also help you audit your Active Directory domain for all permissions and give you a neat report of what object/user has what level of permissions and capabilities in your Domain that would look like this